Saturday, May 9, 2009

OWASP AppSec Europe 2009 - Krakow

The conference runs from May 13th -14th, and I'll be there for this years festivities. I'm speaking on the Thursday afternoon at 15:45 on the topic "Factoring Malware and Organized Crime in to Web Application Security".

If you're responsible for corporate security or secure Web application development, you should be planning on being at OWASP next week already. Don't forget to drop in on my talk.

The abstract for my talk:

The “good old days” of Web security being a battle between the application development team and a sole attacker operating from his bedroom have long since disappeared. Today’s Web application security is a battle with professional criminal hacking teams, organized at a global level, whose primary motivation is financial gain.

Despite knowledge of who the combatants are and their capabilities, both Web application developers and security consultants alike have persisted in largely ignoring this threat. Their doggedness with designing Web applications in the traditional way – with layers of authentication, authorization and complexity – have, to an extent, helped facilitate much of the success organized cyber-criminal teams have had over recent years.Today’s security professionals need to factor in this organized criminal threat. With malware being near ubiquitous at the client, application developers need to address the fact that upwards of one-third of their customers are likely to be infected at any point in time. If so, how do you trust the data coming from your own customers and continue to do business with them?The threat is most prevalent within the online banking industry, but the success of the tactics used by cyber-criminals to exploit these Web application vulnerabilities has seen them increasingly adopted in other profitable online spheres. How should Web developers factor in the use of malware (running on a host they have no control over) in to their application design? How should security consultants test and evaluate the countermeasures deployed by application designers to combat an organized cyber-crime threat?With even the most advanced client authentication technologies being defeated, this session will cover how cyber-criminals are really defeating Web applications (by example) along with the multi-disciplinary skills and tactics developers and consultants need to adopt in order to help combat the evolving threat.

About Me

Hi, I'm Gunter Ollmann and I've been earning a living in IT (mostly in consulting) since the late 1980's. For the last decade or so I've been focused exclusively on Internet security - having built and led multiple professional hacking and security research organizations around the world.
Today I'm CTO over at NCC Group - focused on the .Trust service under Domain Service, formerly CTO at IOActive, and former Chief Security Strategist at IBM Internet Security Systems. I tend to spend a lot of time investigating new threat vectors and cybercrime, taking a long-term strategic view of how Internet security is evolving, and helping define the protection technologies and services we'll need for the future.
You can also follow me on Twitter - http://twitter.com/gollmann Note that any comments and blog postings here on Blogger are my personal thoughts and opinions, and do not necessarily reflect those of my employer.